TRINET GROUP, INC. - (TNET)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Below is a discussion of our risk management and approach to governance as it relates to cyber risks. For additional information on the impact of cyber risks, refer to Part I, Item 1A. Risk Factors, of this Form 10-K, under the heading “Data Privacy and Security Risks”.
Cyber Risk Management and Strategy
Our Global Security program aims to safeguard critical assets through a risk-based approach to cybersecurity. The CSO provides leadership for the program. We employ a defense-in-depth strategy and has established a Security Risk Management Program. In that regard, we built a customized IRCF that was developed with the specific intent of keeping information assets secure and preventing technology resources from unauthorized disclosure, modification, deletion, and destruction. We have modeled our IRCF on several leading industry standards including portions of the NIST Cybersecurity Framework. The IRCF serves as an organizational model for governance and reporting and is reviewed annually.
Our Global Security Organization is responsible for the day-to-day execution of our cyber risk management strategy. This strategy has been incorporated into our overall ERM program and is thus informed by, and overseen through, our ERM program. Our ERM program facilitates identifying, prioritizing, analyzing and remediating enterprise risks, in which cyber risks are included. Within the broader ERM framework, we established a specific program - the IRM program - organizing the governance of risks associated with information held by us. The IRM Steering Committee, of which our CSO is a member, manages the IRM program, discusses the management of cyber risks on a regular cadence and substantive updates from the IRM Steering Committee are provided to the ERM Steering Committee. Finally, through our ERM program, updates and discussion regarding our cybersecurity risk management are provided to and occur at the Risk Committee of our Board of Directors.
To supplement our cyber risk management capabilities, we utilize certain third-party vendors. These vendors support our ability to proactively secure our network and systems, in addition to ongoing monitoring of our cyber environment. With respect to our management of cyber risks arising from third-party vendors, we utilize an internal risk assessment and monitoring program that includes the identification and ongoing review of third-party controls.
As part of our cyber risk management strategy, we established a process for identifying and assessing the material risk of cybersecurity incidents. In the event a cybersecurity incident is identified, the CIRT, which is made up of a cross-functional team, including technology, security, finance and legal professionals, acts in accordance with established processes. The CIRT convenes regular meetings to review and analyze relevant cybersecurity indicators and information. Utilizing an IRC, if it is determined that an incident needs to be reviewed for potential materiality, it is referred to our Chief Legal Officer who will engage the necessary or desirable cross functional professionals as needed in order to make a determination of materiality. We also seek to regularly update and upgrade our technology investments in an effort to further support our ability to identify and assess risks from cybersecurity incidents. We have not identified any cyber threats or incidents that have materially affected or are reasonably likely to materially affect us. For additional information on the potential impact of cybersecurity incidents on our business strategy, operations, or financial condition, refer to Part I, Item 1A. Risk Factors, of this Form 10-K, under the heading “Data Privacy and Security Risks”.
Cyber Risk Governance
Our Cyber Risk Management Strategy described in this Item 1C. is overseen by senior executives with experience in cybersecurity and our business operations and is ultimately overseen by the Risk Committee of the Board. Our Global Security Organization is tasked with executing this strategy through the implementation of cybersecurity policies, procedures, and strategies. In the event that a cybersecurity risk is identified, as and to the extent appropriate, the Global Security Organization manages the day-to-day response to such material risk and provides regular reports to the ERM Steering Committee, or the Risk Committee of the Board, or the Board, as appropriate. The CSO is also an advisor to the Company's Disclosure Committee, which meets quarterly.
On a quarterly basis, a meeting of the Risk Committee is convened to discuss and evaluate our management of enterprise-wide risks. Each meeting of the Risk Committee is facilitated by our Executive Director for ERM and includes programmatic updates from the CSO. The Risk Committee provides updates to the full Board of Directors regarding the state of the Company’s ERM program.
Cyber risks are an enterprise risk that the ERM Program monitors and thus such risks are an ongoing area of focus of the ERM Steering Committee and, as a result, the Risk Committee. On a monthly basis, the ERM Steering Committee is convened and receives pertinent updates regarding our management of cyber risks.
TRINET
31
2023 FORM 10-K


PROPERTIES, LEGAL PROCEEDINGS AND MINE SAFETY DISCLOSURES

In addition to the regularly scheduled programmatic updates that are provided to the ERM Steering Committee and the Risk Committee, we also established a process to inform such committees of cybersecurity events and allow them to monitor corresponding remediation efforts. Specifically, the IRM Steering Committee, consisting of senior leaders from the security, privacy, data governance, technology, records management, and third-party risk management programs, reports to the ERM Steering Committee and has the responsibility to provide updates regarding the identification, management, and remediation of significant cybersecurity threats.
The ERM Steering Committee is similarly tasked with providing relevant updates to the Risk Committee regarding cybersecurity threats. Additionally, we have developed a process that is specific to the management and analysis of cybersecurity incidents. This process includes weekly and monthly updates from the CIRT along with escalation criteria that allows for incidents to be reviewed for materiality on an ad hoc basis. These updates are also provided to the ERM Steering Committee and the Risk Committee as necessary.
Our CSO leads our Global Security Organization which is responsible for overseeing the Company's cyber risk management strategy. Our CSO has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other companies. Team members who support our Global Security team have relevant educational and industry experience, including holding similar positions at other large companies.